Vulnerabilidades ICS Termómetro CCI 2021- 8
←
→
Transcripción del contenido de la página
Si su navegador no muestra la página correctamente, lea el contenido de la página a continuación
Vulnerabilidades
ICS Termómetro CCI
2021- 8
Tabla de contenido Introducción .................................................................................................................................... 4 Novedades 2021 .............................................................................................................................. 4 Fabricantes y debilidades ICS ........................................................................................................... 5 Nuevos fabricantes .......................................................................................................................... 5 Nuevas debilidades.......................................................................................................................... 6 Nuevas alertas................................................................................................................................. 7 Mapa de riesgo .............................................................................................................................. 10 Cambios en el riesgo de fabricante ................................................................................................ 11 ANEXO – I: Cálculo del mapa de riesgo ........................................................................................... 12 ANEXO II – Vulnerabilidades publicadas por elNIST desde el último termómetro CCI ................ 13 ANEXO III – Vulnerabilidades del nuevo fabricante (Bosch) en 2021 ............................................... 16
Profesional de la Ciberseguridad industrial desde hace más de diez años en distintas empresas como Schneider Electric, S21sec, EY, SecurityMatters, Forescout, Telefónica y actualmente enTITANIUM Industrial Security. Miembro activo del ecosistema del Centro de Ciberseguridad Industrial (CCI) desde 2013, profesional Nivel Negro y participando como autor y revisor de distintos estudios y documentos realizados por este.
Introducción
Desde la publicación del cuaderno “Una década de vulnerabilidades ICS” el 4 de mayo de 2020, se han
seguido publicando nuevas vulnerabilidades sobre sistemas ICS, lo que ha hecho variar la exposición al
riesgo de los fabricantes recogidos en dicho cuaderno.
Desde el CCI queremos mantener actualizada esta información para proporcionar una visión de la
evolución de estas vulnerabilidades para que el ecosistema pueda utilizarlas cómo precise en una
publicación que denominaremos Termómetro de vulnerabilidades ICS del CCI.
En cada actualización publicaremos:
• Evolución del número de fabricantes de sistemas de control incluidos en el termómetro
para elperiodo en curso
• Evolución de vulnerabilidades y alertas de los fabricantes de control incluidos en el termómetro
• El mapa de calor de exposición al riesgo de los fabricantes, actualizado a fecha de publicación.
• Comentarios acerca de la evolución del mapa de riesgo.
Novedades 2021
Para adaptarnos a la creciente casuística de vulnerabilidades públicas que afectan a varios fabricantes, en
el año 2021 se aplicará un nuevo criterio, publicando cada uno de los fabricantes afectados por esta única
vulnerabilidad (CVE). Para ser coherentes con este nuevo acercamiento, en 2021 hablaremos de
“Debilidades ICS” (ICS Weaknesses) para dar cabida a estas vulnerabilidades multifabricante.
4
Fabricantes y debilidades ICS
Nuevos fabricantes
En esta edición del termómetro CCI, se incluyen 2 nuevos fabricantes y su número pasa a 46 en 2021.
Riesgo Bajo Riesgo Medio Riesgo Alto Riesgo Muy Alto
N/A Bosch N/A N/A
Morpho (IDEMIA)
El número de fabricantes ICS monitorizados es clave para entender la volumetría de debilidades detectadas
cada año, y explica las diferencias que podemos encontrar en estudios similares realizados por otras compañías
y organizaciones, dado que el número de debilidades depende del conjunto de fabricantes contemplados.
Cómo ya expliqué en el documento que dio origen al termómetro CCI en Mayo de 2020, el conjunto de
fabricantes original fue el contemplado por el ICS-CERT, aunque a lo largo de este año y medio, este conjunto
se ha ido aumentando para tener en cuenta las soluciones más implantadas en entornos industriales del
ecosistema CCI.
Este es el caso de Bosch con 1 nueva debilidad publicada sobre sus cámaras IP. Este fabricantes ha visto
publicadas 20 debilidades en 2021, casi todas asociadas a sus soluciones de seguridad física (Cámaras IP de
vigilancia, sistemas de megafonía en red y sistemas de detección de incendios). Ver detalle en ANEXO III.
Morpho (IDEMIA) registra 3 debilidades (CVE-2021-35520, CVE-2021-35521 y CVE-2021-35522 ), siendo la
última una alerta por ser explotable en red, ser poco compleja y provocar la total indisponibilidad del
dispositivo. Las tres debilidades hacen referencia a un dispositivo de control de acceso biométrico utilizado
también en seguridad física.
5
Nuevas debilidades
El número de vulnerabilidades ICS publicadas y totalmente caracterizadas por el NIST desde la última
actualización es de 75.
Hay que explicar que este inusual aumento proviene de la inclusión de Bosch como fabricante de sistemas
de control. El ICS-CERT, cuya lista de fabricantes supuso el conjunto inicial a monitorizar en el termómetro
CCI, no contempla este fabricante. Intuyo que esto es por la menor implantación en USA de sus soluciones.
Sin embargo, en Europa la situación es muy distinta y grandes fabricantes, como Phoenix Contact, utilizan
sus productos (de origen Rexroth) en sus soluciones de automatización. El impacto de su inclusión en las
cifras de 2021 es de 20 nuevas debilidades y 2 alertas.
De las 55 restantes, un único fabricante, CODESYS, acumula el 20% de este número con 11 CVEs publicadas
en Agosto. Es de destacar que a esta fecha, se han publicado más vulnerabilidades sobre sus productos (26)
que en todo el año 2020 (7). Acumula un CVSS V2 de 6.4 en los últimos 10 años.
Siemens suma otras 10 debilidades publicadas en Agosto (1 de ellas considerada alerta) y alcanza las 169
vulnerabilidades en 2021. Un mes más, sigue encabezando el mapa de exposición al riesgo.
En el caso de Mitsubishi Electric, la publicación de 6 vulnerabilidades este mes (con 2 Alertas), le coloca en la
zona de riesgo medio y ya lleva 12 debilidades publicadas en 2021 sobre sus productos.
Fatek suma otras 3 debilidades sobre su producto Automation FvDesigner, y ya acumula 12 en 2021.
Morpho (IDEMIA) también ha visto publicadas 3 debilidades (una de ellas alertas) sobre dos de sus series de
productos, lo que hace sospechar de otro caso de amplificación de vulnerabilidades por reutilización de
librerías y/o módulos.
Finalmente, el producto R-SeeNet de Advantech suma 1 debilidad (considerada Alerta) en Agosto de 2021, lo
que afecta a su exposición al riesgo cómo fabricante.
Superado el ecuador de 2021, podemos constatar que la tendencia en la investigación de debilidades en los
sistemas de control utilizados en múltiples sectores, sigue creciendo de manera sostenida.
6
Nuevas alertas
Este mes, el NIST ha publicado 5 nuevas alertas de fabricante, pero la inclusión de Bosch en la lista del
termómetro, introduce dos nuevas Alertas publicadas en 2021.
(En el ANEXO III se proporciona información en detalle de todas ellas)
Recordamos que se clasifican cómo alertas dado que la explotación de la vulnerabilidad presenta una
complejidad baja, tiene cómo vector de acceso la red y puede causar una total pérdida de servicio. (Según
la clasificación CVSS V2, para permitir la clasificación histórica de debilidades en productos más antiguos).
Mitsubishi Electric ha visto publicadas 2 alertas sobre 2 de sus series de productos:
Mitsubishi Electric GT27 Mitsubishi Electric G50A
En ambos casos, el envío de paquetes IP maliciosos puede dejar el dispositivo asilado y su reconexión a la
red de control, necesitaría de un reinicio del dispositivo.
Date
CVE CVSS Warning Description
published
CVE-2021-20592 2021-08-05 7.8 Missing synchronization vulnerability in GOT2000 series GT27 model communication
driver versions 01.19.000 through 01.39.010, GT25 model communication driver
versions 01.19.000 through 01.39.010 and GT23 model communication driver
versions 01.19.000 through 01.39.010 and GT SoftGOT2000 versions 1.170C through
1.256S allows a remote unauthenticated attacker to cause DoS condition on the
MODBUS/TCP slave communication function of the products by rapidly and
repeatedly connecting and disconnecting to and from the MODBUS/TCP
communication port on a target. Restart or reset is required to recover.
CVE-2021-20595 2021-07-13 8.5 Improper Restriction of XML External Entity Reference vulnerability in Mitsubishi
Electric Air Conditioning System/Centralized Controllers (G-50A Ver.3.35 and prior,
GB-50A Ver.3.35 and prior, GB-24A Ver.9.11 and prior, AG-150A-A Ver.3.20 and
prior, AG-150A-J Ver.3.20 and prior, GB-50ADA-A Ver.3.20 and prior, GB-50ADA-J
Ver.3.20 and prior, EB-50GU-A Ver 7.09 and prior, EB-50GU-J Ver 7.09 and prior, AE-
200A Ver 7.93 and prior, AE-200E Ver 7.93 and prior, AE-50A Ver 7.93 and prior, AE-
50E Ver 7.93 and prior, EW-50A Ver 7.93 and prior, EW-50E Ver 7.93 and prior, TE-
200A Ver 7.93 and prior, TE-50A Ver 7.93 and prior, TW-50A Ver 7.93 and prior,
CMS-RMD-J Ver.1.30 and prior), Air Conditioning System/Expansion Controllers
(PAC-YG50ECA Ver.2.20 and prior) and Air Conditioning System/BM adapter(BAC-
HD150 Ver.2.21 and prior) allows a remote unauthenticated attacker to disclose
some of data in the air conditioning system or cause a DoS condition by sending
specially crafted packets.
7
En el caso de Morpho (IDEMIA), 1 nueva alerta ha sido publicada por el NIST este mes sobre sus productos
Morpho Wave y VisionPass:
Morpho Wave VisionPass
Ambos sistemas proporcionan soluciones de seguridad física (Control de acceso), por lo que sería
importante su rápida actualización a versiones no vulnerables.
Date
CVE CVSS Warning Description
published
CVE-2021-35522 2021-07-22 9.0 A Buffer Overflow in Thrift command handlers in IDEMIA Morpho Wave Compact
and VisionPass devices before 2.6.2, Sigma devices before 4.9.4, and MA VP MD
devices before 4.9.7 allows remote attackers to achieve code execution, denial of
services, and information disclosure via TCP/IP packets.
El problema está relacionado con el stack TCP/IP que ambos dispositivos utilizan.
No parece que las recomendaciones sobre evaluaciones de seguridad de los productos en la fase de diseño,
adquisición y pruebas de aceptación, esté prosperando mucho.
Advantech vuelve a sorprendernos con 1 nueva alerta sobre su producto R-SeeNet ( y ya van 5 en 2021)
Date
CVE CVSS Warning Description
published
CVE-2021-21805 2021-08-05 10.0 An OS Command Injection vulnerability exists in the ping.php script functionality of
Advantech R-SeeNet v 2.4.12 (20.10.2020). A specially crafted HTTP request can lead
to arbitrary OS command execution. An attacker can send a crafted HTTP request to
trigger this vulnerability.
La debilidad viene motivada por la escasa verificación de los parámetros recibidos en las peticiones HTTP.
Para ser más académicos:
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
8Siemens acumula 1 nueva alerta este mes sobre su producto SINEC NMS:
Date
CVE CVSS Warning Description
published
CVE-2021-35721 2021-08-10 9.0 A vulnerability has been identified in SINEC NMS (All versions < V1.0 SP2). The
affected application incorrectly neutralizes special elements when creating batch
operations which could lead to command injection. An authenticated remote
attacker with administrative privileges could exploit this vulnerability to execute
arbitrary code on the system with system privileges.
El problema es parecido al de la aplicación de Advantech:
CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
9Mapa de riesgo
31 de Agosto de 2021
Circutor
Advantech
Bosch
Digitek Hilscher Siemens
Motorola Solutions Miitsubishi Electric
Pro-face Moxa
Zebra Industrial Panasonic
Phoenix Contact
Schneider Electric
Beckhoff
Belden
CODESYS
Delta Electronics
Digi
Eaton
eWON
Fatek
Fuji Electric Emerson
Hirschmann GE
Honeywell Mikrotik
Johnson Controls
Kepware
Omron
PTC (ThingWorx)
Rockwell
Software Toolbox
Wibu Systems
Wind River
ABB
Philips
ProSoft
RuggedCom
SafeNet
SearchBlox
Tesla
Wago
Aveva
10Cambios en el riesgo de fabricante
Debido al alto número de debilidades publicadas por el NIST en Agosto sobre productos de Siemens ha
hecho que su exposición al riesgo continue en el valor Muy Alto.
Schneider Electric se vuelve a situar en la zona de riesgo Medio+ por un tema meramente estadístico
en el cálculo del mapa de riesgo.
Bosch se situa directamente en la zona de riesgo Medio+ junto con otros fabricantes (Advantech,
Hilscher, Mitsubishi Electric, Morpho, Moxa, Panasonic, Phoenix Contact y Schneider Electric).
El resto de los fabricantes mantienen su nivel en el mapa de calor cualitativo de exposición al riesgo.
11ANEXO – I: Cálculo del mapa de riesgo
Con objeto de mostrar de una manera gráfica y rápida la postura de cada fabricante en lo que se refiere al
riesgo asociado a las vulnerabilidades publicadas, he seleccionado un formato gráfico muy común en la
gestión de Riesgos: el mapa de calor.
Este diagrama presenta distintos colores para representar el riesgo asociado de manera cualitativa y en
cuatro rangos: Bajo, Medio, Alto y Muy Alto.
MUY ALTO
ALTO
MEDIO
BAJO
La posición de cada fabricante dentro del mapa depende de los valores obtenidos en dos parámetros
asociados con la probabilidad (Número de CVEs publicados) y el impacto de dichos CVEs (Valor medio de
CVSS).
Para cada año, se ha calculado cada uno de estos valores entre 1 y 5.
• En el eje horizontal, se ha calculado el valor proporcional al número de CVEs publicados para
esefabricante en un año concreto en comparación con el fabricante con mayor número de CVEs.
• En el eje vertical se ha calculado el valor medio de CVSS de los CVEs publicados ese año y se
hadividido entre 2.
Para intentar dar una idea más cualitativa en lo que se refiere a la postura de cada fabricante, se han
introducido dos correcciones en el cálculo:
• Si el fabricante tiene algún CVE ese año considerado cómo Alerta (Acceso por la red,
complejidadbaja e impacto completo en disponibilidad), se incrementa en una unidad el impacto
(Eje vertical)y en una unidad la probabilidad (Eje horizontal). Esto se realiza para diferenciar a
este fabricante de otros sin este tipo de CVEs y posicionarlo en una zona de mayor riesgo.
• De la misma manera, si un fabricante tiene algún CVE ese año con un valor CVSS de 10.0, se
incrementa en una unidad la probabilidad (Eje horizontal). Esto se realiza para diferenciar a
estefabricante de otros sin este tipo de CVEs y posicionarlo en una zona de mayor riesgo.
Se ha estudiado mediante distintas simulaciones que estas correcciones no suponen grandes alteraciones
en la postura global del riesgo de ese fabricante y, sin embargo, presentan un diagnóstico cualitativo más
ajustado.
12ANEXO II – Vulnerabilidades publicadas por el
NIST desde el último termómetro CCI
CVE Date CVSS Warning Description
published V2
CVE-2021-31338 2021-08-19 4.6 A vulnerability has been identified in SINEMA Remote Connect Client (All versions < V3.0
SP1). Affected devices allow to modify configuration settings over an unauthenticated
channel. This could allow a local attacker to escalate privileges and execute own code on
the device.
CVE-2021-33721 2021-08-10 9.0 A vulnerability has been identified in SINEC NMS (All versions < V1.0 SP2). The affected
application incorrectly neutralizes special elements when creating batch operations which
could lead to command injection. An authenticated remote attacker with administrative
privileges could exploit this vulnerability to execute arbitrary code on the system with
system privileges.
CVE-2021-20592 2021-08-05 7.8 Missing synchronization vulnerability in GOT2000 series GT27 model communication driver
versions 01.19.000 through 01.39.010, GT25 model communication driver versions
01.19.000 through 01.39.010 and GT23 model communication driver versions 01.19.000
through 01.39.010 and GT SoftGOT2000 versions 1.170C through 1.256S allows a remote
unauthenticated attacker to cause DoS condition on the MODBUS/TCP slave
communication function of the products by rapidly and repeatedly connecting and
disconnecting to and from the MODBUS/TCP communication port on a target. Restart or
reset is required to recover.
CVE-2021-21805 2021-08-05 10.0 An OS Command Injection vulnerability exists in the ping.php script functionality of
Advantech R-SeeNet v 2.4.12 (20.10.2020). A specially crafted HTTP request can lead to
arbitrary OS command execution. An attacker can send a crafted HTTP request to trigger
this vulnerability.
CVE-2021-35522 2021-07-22 9.0 A Buffer Overflow in Thrift command handlers in IDEMIA Morpho Wave Compact and
VisionPass devices before 2.6.2, Sigma devices before 4.9.4, and MA VP MD devices before
4.9.7 allows remote attackers to achieve code execution, denial of services, and information
disclosure via TCP/IP packets.
CVE-2021-20595 2021-07-13 8.5 Improper Restriction of XML External Entity Reference vulnerability in Mitsubishi Electric Air
Conditioning System/Centralized Controllers (G-50A Ver.3.35 and prior, GB-50A Ver.3.35
and prior, GB-24A Ver.9.11 and prior, AG-150A-A Ver.3.20 and prior, AG-150A-J Ver.3.20
and prior, GB-50ADA-A Ver.3.20 and prior, GB-50ADA-J Ver.3.20 and prior, EB-50GU-A Ver
7.09 and prior, EB-50GU-J Ver 7.09 and prior, AE-200A Ver 7.93 and prior, AE-200E Ver 7.93
and prior, AE-50A Ver 7.93 and prior, AE-50E Ver 7.93 and prior, EW-50A Ver 7.93 and prior,
EW-50E Ver 7.93 and prior, TE-200A Ver 7.93 and prior, TE-50A Ver 7.93 and prior, TW-50A
Ver 7.93 and prior, CMS-RMD-J Ver.1.30 and prior), Air Conditioning System/Expansion
Controllers (PAC-YG50ECA Ver.2.20 and prior) and Air Conditioning System/BM
adapter(BAC-HD150 Ver.2.21 and prior) allows a remote unauthenticated attacker to
disclose some of data in the air conditioning system or cause a DoS condition by sending
specially crafted packets.
CVE-2020-20221 2021-07-21 6.8 Mikrotik RouterOs before 6.44.6 (long-term tree) suffers from an uncontrolled resource
consumption vulnerability in the /nova/bin/cerm process. An authenticated remote
attacker can cause a Denial of Service due to overloading the systems CPU.
CVE-2021-21868 2021-08-18 6.8 An unsafe deserialization vulnerability exists in the ObjectManager.plugin
Project.get_MissingTypes() functionality of CODESYS GmbH CODESYS Development System
3.5.16 and 3.5.17. A specially crafted file can lead to arbitrary command execution. An
attacker can provide a malicious file to trigger this vulnerability.
CVE-2021-21867 2021-08-18 6.8 An unsafe deserialization vulnerability exists in the ObjectManager.plugin
ObjectStream.ProfileByteArray functionality of CODESYS GmbH CODESYS Development
System 3.5.16 and 3.5.17. A specially crafted file can lead to arbitrary command execution.
An attacker can provide a malicious file to trigger this vulnerability.
CVE-2021-32939 2021-08-11 6.8 FATEK Automation FvDesigner, Versions 1.5.88 and prior is vulnerable to an out-of-bounds
write while processing project files, allowing an attacker to craft a project file that may
permit arbitrary code execution.
CVE-2021-32947 2021-08-11 6.8 FATEK Automation FvDesigner, Versions 1.5.88 and prior is vulnerable to a stack-based
buffer overflow, which may allow an attacker to execute arbitrary code.
CVE-2021-32931 2021-08-11 6.8 An uninitialized pointer in FATEK Automation FvDesigner, Versions 1.5.88 and prior may be
exploited while the application is processing project files, allowing an attacker to craft a
special project file that may permit arbitrary code execution.
CVE-2021-32943 2021-08-10 7.5 The affected product is vulnerable to a stack-based buffer overflow, which may allow an
attacker to remotely execute arbitrary code on the WebAccess/SCADA (WebAccess/SCADA
versions prior to 8.4.5, WebAccess/SCADA versions prior to 9.0.1).
13CVE Date CVSS Warning Description
published V2
CVE-2021-37180 2021-08-10 6.8 A vulnerability has been identified in Solid Edge SE2021 (All Versions < SE2021MP7). The
PSKERNEL.dll library lacks proper validation while parsing user-supplied OBJ files that could
cause an out of bounds access to an uninitialized pointer. An attacker could leverage this
vulnerability to execute code in the context of the current process. (ZDI-CAN-13775)
CVE-2021-37179 2021-08-10 6.8 A vulnerability has been identified in Solid Edge SE2021 (All Versions < SE2021MP7). The
PSKERNEL.dll library in affected application lacks proper validation while parsing user-
supplied OBJ files that could lead to a use-after-free condition. An attacker could leverage
this vulnerability to execute code in the context of the current process. (ZDI-CAN-13777)
CVE-2021-37172 2021-08-10 5.0 A vulnerability has been identified in SIMATIC S7-1200 CPU family (incl. SIPLUS variants)
(V4.5.0). Affected devices fail to authenticate against configured passwords when
provisioned using TIA Portal V13. This could allow an attacker using TIA Portal V17 or later
versions to bypass authentication and download arbitrary programs to the PLC. The
vulnerability does not occur when TIA Portal V13 SP1 or any later version was used to
provision the device.
CVE-2020-28397 2021-08-10 5.0 A vulnerability has been identified in SIMATIC Drive Controller family (All versions < V2.9.2),
SIMATIC ET 200SP Open Controller CPU 1515SP PC2 (incl. SIPLUS variants) (All versions),
SIMATIC S7 PLCSIM Advanced (All versions > V2 < V4), SIMATIC S7-1200 CPU family (incl.
SIPLUS variants) (Version V4.4), SIMATIC S7-1500 CPU family (incl. related ET200 CPUs and
SIPLUS variants) (All versions > V2.5 < V2.9.2), SIMATIC S7-1500 Software Controller (All
versions > V2.5), TIM 1531 IRC (incl. SIPLUS NET variants) (Version V2.1). Due to an incorrect
authorization check in the affected component, an attacker could extract information about
access protected PLC program variables over port 102/tcp from an affected device when
reading multiple attributes at once.
CVE-2021-25659 2021-08-10 5.0 A vulnerability has been identified in Automation License Manager 5 (All versions),
Automation License Manager 6 (All versions < V6.0 SP9 Update 2). Sending specially crafted
packets to port 4410/tcp of an affected system could lead to extensive memory being
consumed and as such could cause a denial-of-service preventing legitimate users from
using the system.
CVE-2021-37178 2021-08-10 4.3 A vulnerability has been identified in Solid Edge SE2021 (All Versions < SE2021MP7). An XML
external entity injection vulnerability in the underlying XML parser could cause the affected
application to disclose arbitrary files to remote attackers by loading a specially crafted xml
file.
CVE-2021-33738 2021-08-10 4.3 A vulnerability has been identified in JT2Go (All versions < V13.2.0.2), Teamcenter
Visualization (All versions < V13.2.0.2). The plmxmlAdapterSE70.dll library in affected
applications lacks proper validation of user-supplied data when parsing PAR files. This could
result in an out of bounds read past the end of an allocated buffer. An attacker could
leverage this vulnerability to leak information in the context of the current process. (ZDI-
CAN-13405)
CVE-2021-33717 2021-08-10 4.3 A vulnerability has been identified in JT2Go (All versions < V13.2.0.1), Teamcenter
Visualization (All versions < V13.2.0.1). When parsing specially crafted CGM Files, a NULL
pointer deference condition could cause the application to crash. The application must be
restarted to restore the service. An attacker could leverage this vulnerability to cause a
Denial-of-Service condition in the application.
CVE-2020-21682 2021-08-10 4.3 A global buffer overflow in the set_fill component in genge.c of fig2dev 3.2.7b allows
attackers to cause a denial of service (DOS) via converting a xfig file into ge format.
CVE-2020-21681 2021-08-10 4.3 A global buffer overflow in the set_color component in genge.c of fig2dev 3.2.7b allows
attackers to cause a denial of service (DOS) via converting a xfig file into ge format.
CVE-2021-22676 2021-08-10 4.3 UserExcelOut.asp within WebAccess/SCADA is vulnerable to cross-site scripting (XSS), which
could allow an attacker to send malicious JavaScript code. This could result in hijacking of
cookie/session tokens, redirection to a malicious webpage, and unintended browser action
on the WebAccess/SCADA (WebAccess/SCADA versions prior to 8.4.5, WebAccess/SCADA
versions prior to 9.0.1).
CVE-2021-22674 2021-08-10 4.0 The affected product is vulnerable to a relative path traversal condition, which may allow an
attacker access to unauthorized files and directories on the WebAccess/SCADA
(WebAccess/SCADA versions prior to 8.4.5, WebAccess/SCADA versions prior to 9.0.1).
CVE-2021-20597 2021-08-06 6.4 Insufficiently Protected Credentials vulnerability in Mitsubishi Electric MELSEC iQ-R series
CPU modules (R08/16/32/120SFCPU all versions, R08/16/32/120PSFCPU all versions) allows
a remote unauthenticated attacker to login to the target unauthorizedly by sniffing network
traffic and obtaining credentials when registering user information in the target or changing
a password.
CVE-2021-20598 2021-08-06 5.0 Overly Restrictive Account Lockout Mechanism vulnerability in Mitsubishi Electric MELSEC
iQ-R series CPU modules (R08/16/32/120SFCPU all versions, R08/16/32/120PSFCPU all
versions) allows a remote unauthenticated attacker to lockout a legitimate user by
continuously trying login with incorrect password.
CVE-2021-20594 2021-08-06 5.0 Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Mitsubishi
Electric MELSEC iQ-R series CPU modules (R08/16/32/120SFCPU all versions,
14CVE Date CVSS Warning Description
published V2
R08/16/32/120PSFCPU all versions) allows a remote unauthenticated attacker to acquire
legitimate user names registered in the module via brute-force attack on user names.
CVE-2021-23849 2021-08-05 6.8 A vulnerability in the web-based interface allows an unauthenticated remote attacker to
trigger actions on an affected system on behalf of another user (CSRF - Cross Site Request
Forgery). This requires the victim to be tricked into clicking a malicious link or opening a
malicious website while being logged in into the camera.
CVE-2021-21863 2021-08-05 6.8 A unsafe deserialization vulnerability exists in the ComponentModel Profile.FromFile()
functionality of CODESYS GmbH CODESYS Development System 3.5.16 and 3.5.17. A
specially crafted file can lead to arbitrary command execution. An attacker can provide a
malicious file to trigger this vulnerability.
CVE-2021-36764 2021-08-04 5.0 In CODESYS Gateway V3 before 3.5.17.10, there is a NULL Pointer Dereference. Crafted
communication requests may cause a Null pointer dereference in the affected CODESYS
products and may result in a denial-of-service condition.
CVE-2021-36765 2021-08-04 5.0 In CODESYS EtherNetIP before 4.1.0.0, specific EtherNet/IP requests may cause a null
pointer dereference in the downloaded vulnerable EtherNet/IP stack that is executed by the
CODESYS Control runtime system.
CVE-2021-33485 2021-08-03 7.5 CODESYS Control Runtime system before 3.5.17.10 has a Heap-based Buffer Overflow.
CVE-2021-33486 2021-08-03 5.0 All versions of the CODESYS V3 Runtime Toolkit for VxWorks from version V3.5.8.0 and
before version V3.5.17.10 have Improper Handling of Exceptional Conditions.
CVE-2021-36763 2021-08-03 5.0 In CODESYS V3 web server before 3.5.17.10, files or directories are accessible to External
Parties.
CVE-2021-21865 2021-08-02 6.8 A unsafe deserialization vulnerability exists in the PackageManagement.plugin
ExtensionMethods.Clone() functionality of CODESYS GmbH CODESYS Development System
3.5.16. A specially crafted file can lead to arbitrary command execution. An attacker can
provide a malicious file to trigger this vulnerability.
CVE-2021-21866 2021-08-02 6.8 A unsafe deserialization vulnerability exists in the ObjectManager.plugin
ProfileInformation.ProfileData functionality of CODESYS GmbH CODESYS Development
System 3.5.16 and 3.5.17. A specially crafted file can lead to arbitrary command execution.
An attacker can provide a malicious file to trigger this vulnerability.
CVE-2021-21864 2021-08-02 6.8 A unsafe deserialization vulnerability exists in the ComponentModel
ComponentManager.StartupCultureSettings functionality of CODESYS GmbH CODESYS
Development System 3.5.16 and 3.5.17. A specially crafted file can lead to arbitrary
command execution. An attacker can provide a malicious file to trigger this vulnerability.
CVE-2021-29298 2021-07-30 2.6 Improper Input Validation in Emerson GE Automation Proficy Machine Edition v8.0 allows
an attacker to cause a denial of service and application crash via crafted traffic from a Man-
in-the-Middle (MITM) attack to the component "FrameworX.exe"in the module
"fxVPStatcTcp.dll".
CVE-2021-29297 2021-07-30 2.6 Buffer Overflow in Emerson GE Automation Proficy Machine Edition v8.0 allows an attacker
to cause a denial of service and application crash via crafted traffic from a Man-in-the-
Middle (MITM) attack to the component "FrameworX.exe" in the module "MSVCR100.dll".
CVE-2020-20741 2021-07-23 7.5 Incorrect Access Control in Beckhoff Automation GmbH & Co. KG CX9020 with firmware
version CX9020_CB3011_WEC7_HPS_v602_TC31_B4016.6 allows remote attackers to
bypass authentication via the "CE Remote Display Tool" as it does not close the incoming
connection on the Windows CE side if the credentials are incorrect.
CVE-2021-20596 2021-07-22 5.0 NULL Pointer Dereference in MELSEC-F Series FX3U-ENET firmware version 1.14 and prior,
FX3U-ENET-L firmware version 1.14 and prior and FX3U-ENET-P502 firmware version 1.14
and prior allows a remote unauthenticated attacker to cause a DoS condition in
communication by sending specially crafted packets. Control by MELSEC-F series PLC is not
affected and system reset is required for recovery.
CVE-2021-35521 2021-07-22 4.9 A path traversal in Thrift command handlers in IDEMIA Morpho Wave Compact and
VisionPass devices before 2.6.2 allows remote authenticated attackers to achieve denial of
services and information disclosure via TCP/IP packets.
CVE-2021-35520 2021-07-22 4.6 A Buffer Overflow in Thrift command handlers in IDEMIA Morpho Wave Compact and
VisionPass devices before 2.6.2 allows physically proximate authenticated attackers to
achieve code execution, denial of services, and information disclosure via serial ports.
CVE-2021-22772 2021-07-21 7.5 A CWE-306: Missing Authentication for Critical Function vulnerability exists in Easergy T200
((Modbus) SC2-04MOD-07000100 and earlier), Easergy T200 ((IEC104) SC2-04IEC-07000100
and earlier), and Easergy T200 ((DNP3) SC2-04DNP-07000102 and earlier) that could cause
unauthorized operation when authentication is bypassed.
15ANEXO III – Vulnerabilidades del nuevo
fabricante (Bosch) en 2021
Date CVSS
CVE Warning Description
published V2
CVE-2021-23849 2021-08-05 6.8 A vulnerability in the web-based interface allows an unauthenticated remote attacker to
trigger actions on an affected system on behalf of another user (CSRF - Cross Site Request
Forgery). This requires the victim to be tricked into clicking a malicious link or opening a
malicious website while being logged in into the camera.
CVE-2021-23845 2021-06-18 6.8 This vulnerability could allow an attacker to hijack a session while a user is logged in the
configuration web page. This vulnerability was discovered by a security researcher in B426
and found during internal product tests in B426-CN/B429-CN, and B426-M and has been
fixed already starting from version 3.08 on, which was released on June 2019.
CVE-2021-23846 2021-06-18 4.3 When using http protocol, the user password is transmitted as a clear text parameter for
which it is possible to be obtained by an attacker through a MITM attack. This will be fixed
starting from Firmware version 3.11.5, which will be released on the 30th of June, 2021.
CVE-2021-23853 2021-06-09 7.5 In Bosch IP cameras, improper validation of the HTTP header allows an attacker to inject
arbitrary HTTP headers through crafted URLs.
CVE-2021-23847 2021-06-09 6.4 A Missing Authentication in Critical Function in Bosch IP cameras allows an
unauthenticated remote attacker to extract sensitive information or change settings of
the camera by sending crafted requests to the device. Only devices of the CPP6, CPP7 and
CPP7.3 family with firmware 7.70, 7.72, and 7.80 prior to B128 are affected by this
vulnerability. Versions 7.62 or lower and INTEOX cameras are not affected.
CVE-2021-23854 2021-06-09 4.3 An error in the handling of a page parameter in Bosch IP cameras may lead to a reflected
cross site scripting (XSS) in the web-based interface. This issue only affects versions 7.7x
and 7.6x. All other versions are not affected.
CVE-2021-23848 2021-06-09 4.3 An error in the URL handler Bosch IP cameras may lead to a reflected cross site scripting
(XSS) in the web-based interface. An attacker with knowledge of the camera address can
send a crafted link to a user, which will execute javascript code in the context of the user.
CVE-2021-23852 2021-06-09 4.0 An authenticated attacker with administrator rights Bosch IP cameras can call an URL with
an invalid parameter that causes the camera to become unresponsive for a few seconds
and cause a Denial of Service (DoS).
CVE-2020-6790 2021-03-25 6.9 Calling an executable through an Uncontrolled Search Path Element in the Bosch Video
Streaming Gateway installer up to and including version 6.45.10 potentially allows an
attacker to execute arbitrary code on a victim's system. A prerequisite is that the victim is
tricked into placing a malicious exe in the same directory where the installer is started
from.
CVE-2020-6786 2021-03-25 6.9 Loading a DLL through an Uncontrolled Search Path Element in the Bosch Video Recording
Manager installer up to and including version 3.82.0055 for 3.82, up to and including
version 3.81.0064 for 3.81 and 3.71 and older potentially allows an attacker to execute
arbitrary code on a victim's system. A prerequisite is that the victim is tricked into placing
a malicious DLL in the same directory where the installer is started from.
CVE-2020-6785 2021-03-25 6.9 Loading a DLL through an Uncontrolled Search Path Element in Bosch BVMS and BVMS
Viewer in versions 10.1.0, 10.0.1, 10.0.0 and 9.0.0 and older potentially allows an attacker
to execute arbitrary code on a victim's system. This affects both the installer as well as the
installed application. This also affects Bosch DIVAR IP 7000 R2, Bosch DIVAR IP all-in-one
5000 and Bosch DIVAR IP all-in-one 7000 with installers and installed BVMS versions prior
to BVMS 10.1.1.
CVE-2020-6787 2021-03-25 6.9 Loading a DLL through an Uncontrolled Search Path Element in the Bosch Video Client
installer up to and including version 1.7.6.079 potentially allows an attacker to execute
arbitrary code on a victim's system. A prerequisite is that the victim is tricked into placing
a malicious DLL in the same directory where the installer is started from.
CVE-2020-6789 2021-03-25 6.9 Loading a DLL through an Uncontrolled Search Path Element in the Bosch Monitor Wall
installer up to and including version 10.00.0164 potentially allows an attacker to execute
arbitrary code on a victim's system. A prerequisite is that the victim is tricked into placing
a malicious DLL in the same directory where the installer is started from.
CVE-2020-6771 2021-03-25 6.9 Loading a DLL through an Uncontrolled Search Path Element in Bosch IP Helper up to and
including version 1.00.0008 potentially allows an attacker to execute arbitrary code on a
victim's system. A prerequisite is that the victim is tricked into placing a malicious DLL in
the same application directory as the portable IP Helper application.
CVE-2020-6788 2021-03-25 6.9 Loading a DLL through an Uncontrolled Search Path Element in the Bosch Configuration
Manager installer up to and including version 7.21.0078 potentially allows an attacker to
16Date CVSS
CVE Warning Description
published V2
execute arbitrary code on a victim's system. A prerequisite is that the victim is tricked into
placing a malicious DLL in the same directory where the installer is started from.
CVE-2019-11684 2021-02-26 10.0 Improper Access Control in the RCP+ server of the Bosch Video Recording Manager (VRM)
component allows arbitrary and unauthenticated access to a limited subset of certificates,
stored in the underlying Microsoft Windows operating system. The fixed versions
implement modified authentication checks. Prior releases of VRM software version 3.70
are considered unaffected. This vulnerability affects VRM v3.70.x, v3.71 < v3.71.0034 and
v3.81 < 3.81.0050; DIVAR IP 5000 3.80 < 3.80.0039; BVMS all versions using VRM.
CVE-2020-6780 2021-01-26 4.0 Use of Password Hash With Insufficient Computational Effort in the database of Bosch
FSM-2500 server and Bosch FSM-5000 server up to and including version 5.2 allows a
remote attacker with admin privileges to dump the credentials of other users and possibly
recover their plain-text passwords by brute-forcing the MD5 hash.
CVE-2020-6779 2021-01-26 10.0 Use of Hard-coded Credentials in the database of Bosch FSM-2500 server and Bosch FSM-
5000 server up to and including version 5.2 allows an unauthenticated remote attacker to
log into the database with admin-privileges. This may result in complete compromise of
the confidentiality and integrity of the stored data as well as a high availability impact on
the database itself. In addition, an attacker may execute arbitrary commands on the
underlying operating system.
CVE-2020-6776 2021-01-14 6.8 A vulnerability in the web-based management interface of Bosch PRAESIDEO until and
including version 4.41 and Bosch PRAESENSA until and including version 1.10 allows an
unauthenticated remote attacker to trigger actions on an affected system on behalf of
another user (Cross-Site Request Forgery). This requires the victim to be tricked into
clicking a malicious link or submitting a malicious form. A successful exploit allows the
attacker to perform arbitrary actions with the privileges of the victim, e.g. creating and
modifying user accounts, changing system configuration settings and cause DoS
conditions. Note: For Bosch PRAESIDEO 4.31 and newer and Bosch PRAESENSA in all
versions, the confidentiality impact is considered low because user credentials are not
shown in the web interface.
CVE-2020-6777 2021-01-14 3.5 A vulnerability in the web-based management interface of Bosch PRAESIDEO until and
including version 4.41 and Bosch PRAESENSA until and including version 1.10 allows an
authenticated remote attacker with admin privileges to mount a stored Cross-Site-
Scripting (XSS) attack against another user. When the victim logs into the management
interface, the stored script code is executed in the context of his browser. A successful
exploit would allow an attacker to interact with the management interface with the
privileges of the victim. However, as the attacker already needs admin privileges, there is
no additional impact on the management interface itself.
17También puede leer
